easy way to check ipa-client status
by email@ml.jacobdevans.com
So....rarely, a second server is built with the same fqdn, causing an issue with the original server kerberos realm membership...thing.
Is there an easy way to check/confirm this similar to how you'd check the computer accounts for M$ AD?
Thanks in advance!
-Jake
6 years, 5 months
Make custom attribute fail in UI and SAVE Button
by barrykfl@gmail.com
Dear all:
I follow the guide of freeipa 3.0 abt web plugin web ui. At command base I
successfully made
a custom attribute called Employee " Commencement Date" . I can add using
script / command.
BUT in web UI , it Display "Commencent date" Label only ....and cannot
display edit field and allow me edit.
After That I changed to Multivalue the field come out but still the save
button is grey I cannot save again.
Which part I made wrong ? please advise . thx
define(['freeipa/phases','freeipa/user'],
function(phases, user_mod) {
// helper function
function get_item(array, attr, value) {
for (var i=0,l=array.length; i<l; i++) {
if (array[i][attr] === value) return array[i];
}
return null;
}
var cdate_plugin = {};
cdate_plugin.add_c_date = function() {
var facet = get_item(user_mod.entity_spec.facets, '$type', 'details');
var section = get_item(facet.sections, 'name', 'identity');
section.fields.push({
$name: 'comDate',
type: 'multivalued',
label: 'Commencement Date'
});
return true;
};
phases.on('customization', cdate_plugin.add_c_date);
return cdate_plugin;
});
6 years, 5 months
FreeIPA wiki: troubleshooting
by Florence Blanc-Renaud
Hi all,
FreeIPA wiki contains a really long page for Troubleshooting [1], and I
would like to re-organize the content a little bit differently.
My proposal would be to keep this page as the main access point and only
store pointers to other pages, organized by component. We can keep the
existing component structure, ie:
- installation
- directory server
- authentication/kerberos
- AD trusts
- dns
- pki
- administration framework
- web UI
- integration with other software
but I would also add
- certmonger and certificate renewal
- OTP
It would be great if the troubleshooting steps could explicitly define
which version they apply to (for instance the RA certificate has changed
location in 4.5).
I see this as a group effort, meaning that anyone planning to add
information related to troubleshooting could review the section he's
planning to modify and add details (for instance if the existing
information is deprecated, or applies only to a specific version etc...)
I can start by moving the content from [1] to component-specific pages,
for instance http://www.freeipa.org/page/Troubleshooting/Installation if
you agree with the proposal.
So any thoughts/comments on this?
Flo
[1] http://www.freeipa.org/page/Troubleshooting
6 years, 5 months
Got RBAC controls for individual AD users sorted; now to allow login based on AD group membership ?
by Chris Dagdigian
Hi folks,
Have an AWS footprint that thanks to FreeIPA can talk to a really
complex remote AD forest with lots of transitive trusts and child
domains. Would not be possible without FreeIPA in the mix.
So far we've only really been required to grant admin/sudo access and
we've done that individually with role based user and hostgroups
I'm comfortable with bringing an AD user into the fold:
1. Make a non-posix group in FreeIPA to hold the AD usernames
2. Make a second group of type=POSIX that inherits members from the
external non-posix group
3. Implement RBAC controls and rules via the posix group
4. magic!
Now I need to globally allow SSH and possibly other PAM service access
based on pre-existing AD group membership
Looking for guidance or URLs on how to manage RBAC controls based on AD
group rather than AD username.
Is it roughly the same (or exactly the same? )
- Make non-posix group that references the AD group in FreeIPA
- Make POSIX group in FreeIPA that inherits members of the non-posix group
- Implement RBAC rules?
Any tips or cheatsheets for allowing RBAC controls based on groups that
exist in AD would be appreciated. thanks!
Chris
6 years, 5 months
freeipa trust issues
by Zach Bayne
I have active directory as dc1.ad.domainname and dc2.ad.domainname
I also have freeipa at ipa1.ipa.domainname and ipa2.ipa.domainname
both of them seem to work fine independently, I then created a trust and
set smb min and max to 2. from the server 2k12 side the trust validates
and from the ipa side i can kinit user(a)ad.domainname but thats where the
working ends. I can not login to webinterface as ad it says my session has
expired and to relogin. wbinfo status shows ad as offline
both ldap dns records for ipa and ad look correct
[root@ipa1 ~]# wbinfo -n 'AD\Domain Admins'
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name AD\Domain Admins
[root@ipa1 ~]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
[root@ipa1 ~]# sssd --version
1.15.2
attached below is the log.wd.ad
I am happy to provide any more information and thank anyone who can help me
solve this, have been beaten up for a bit on it.
https://gist.github.com/anonymous/36d1a48cf1a1116b116f9ce911d91d8a
6 years, 5 months
Listing groups in FreeIPA
by Kristian Petersen
Hey all,
Is there a way to get a list of all of the groups in FreeIPA using the
python API?
--
Kristian Petersen
System Administrator
Dept. of Chemistry and Biochemistry
6 years, 5 months
Re: Delete certificates from Dogtag PKI
by Francois Picot
Hello all,
I'm not sure this is the correct list to post in, but it seems to be more of a PKI issue. I'm wondering if there is a clean/easy way to delete certificates from IPA CA/PKI.
For a little context.. One of our systems has an IPA pair, which issues certificates for internal use via dogtag PKI. Two weeks ago, we found that some certificates were renewed without DNS SAN. After a few searches, I found this thread [1] which helped us import the profile into LDAP and everything seemed to go back to normal.
However, some servers in this system went mad a few days later, and certmonger looped on renewal of some certificates.
In /var/log/messages, we can see these two lines repeating every few seconds :
Nov 8 14:22:14 srv-01 certmonger: Certificate in file "/etc/httpd/httpd.crt" is no longer valid.
Nov 8 14:22:14 srv-01 certmonger: Certificate in file "/ etc/httpd/httpd.crt " issued by CA and saved.
After restarting certmonger, the loop stopped.
The problem now is we have 54K certificates in IPA CA. Some hosts have up to 2400 certificates issued. The dirsrv file id2entry.db is 1.3GB. The backup process needs about 8GB to run and produce 3,5GB backups (up from ~100MB). Almost all ipa commands time out because of the huge number of certificates.
I would like to avoid revoking the certificates for two reasons :
* They are for an exclusively internal use, and I'm absolutely positive that they have not been compromised,
* It's likely it wouldn't solve the backup size problem.
Is there another way than manually deleting them from LDAP ? I couldn't find any command that would simply delete the certs.
If not, is it safe to delete them ?
Kind regards,
François PICOT
[1] https://www.redhat.com/archives/freeipa-users/2016-May/msg00191.html
6 years, 5 months
Knox and IPA integration
by Kat
Curious if anyone has done any configuration in using Apache Knox and
integrating into IPA for Kerberos auth?
thanks
K
6 years, 5 months